Lessons from a criminal HIPAA verdict

© profit_image - stock.adobe.com

A recent jury verdict serves as a reminder that criminal HIPAA penalties are alive and well.

At issue in this criminal case was the Defendant’s obtaining then-Supreme Court Justice Ruth Bader Ginsberg’s electronic health records by “remotely access[ing] … and t[aking] a screenshot of [her] protected health information” and subsequently “destroying evidence in a federal investigation.” The indictment was filed in the Eastern District of Virginia on December 13, 2023 (Case No. 1:23-cr-00195) and on July 31, 2024, a jury returned a verdict finding the Defendant, Trent James Russell “guilty” on Count 1 (Destruction and Alteration of Records, 18 U.S.C. § 1519) and Count 2 (Obtaining Individually Identifiable Health Information, 42 U.S.C. § 1320d-6(a)(2) and (b)(1)) and “not guilty” on Count 3 (Disclosing Individually Identifiable Health Information [IIHI], 42 U.S.C. § 1320d-6(a)(3) and (b)(1)).

A couple of notes before delving into specific counts that rendered a guilty verdict. First, the “legal burden of proof required to affirm a conviction in a criminal case” is “beyond a reasonable doubt.” This requires the Government to prove that a “defendant is guilty beyond all reasonable doubt” which essentially means that there is no other reasonable explanation that can be derived by the evidence and requires the jury to be “virtually certain of the defendant’s guilt.” Second, the Government has options when it comes to the illicit viewing and/or use of IIHI – criminal penalties under HIPAA and/or aggravated identity theft (18 U.S.C. §1028(a)) (“AIT”).

In this case, the Government opted for criminal HIPAA violations; however, in previous cases, it has opted to use only the aggravated identity theft statute or a combination of both HIPAA and AIT. For example, on May 31, 2023, an Arizona defendant was sentenced to fifty-four (54) months after pleading guilty to AIT and criminal HIPAA violations. On Jan. 30, a defendant was sentenced to nine (9) years for “orchestrating a nearly $2.8 million health care fraud and wire fraud conspiracy and engaging in money laundering, aggravated identity theft, and witness tampering.” Notably, in Dubin v. United States, 599 U.S. ___ (2023), the U.S. Supreme Court held that ‘[u]nder §1028A(a)(1), a defendant ‘uses’ another person’s means of identification ‘in relation to’ a predicate offense when the use is at the crux of what makes the conduct criminal.” As to what statute(s) the Government chooses to utilize, it comes down to prosecutorial discretion.

The Russell verdict offers three key take-aways:

• Destroying evidence is never advisable and can result in a longer criminal sentence;
• The Government proved and the jury was convinced beyond a reasonable doubt of the Defendant’s wrongful obtaining of PHI and his spoliation of evidence; and
• He faces a maximum penalty of 20 years and is scheduled for sentencing on November 7, 2024.

In sum, the Government can and does use the criminal penalties available to it under HIPAA.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.